Information Security is full of terminology.
Sometimes we even understand what we mean. Iâve yet to come across a truly awesome, yet brief, definition of âthreatâ, for instance.
But one that bugs me, because it shouldnât be that hard to get right, and because I hear it from people I otherwise respect greatly, is that of âinput validationâ.
Fight me on this, but I think that validation is essentially a yes/no decision on a set of input, whether itâs textual, binary, or whatever other format you care to define.
Exactly what you are validating is up for debate, whether youâre looking at syntax or semantics â is it formatted correctly, versus does it actually make sense?
âGreen ideas sleep furiouslyâ is a famous example of a sentence that is syntactically correct â it follows a standard âAdjective noun verb adverbâ pattern that is common in English â but semantically, it makes no sense: ideas canât be green, and they canât sleep, and nothing can sleep furiously (although my son used to sleep with his fists clenched really tight when he was a little baby).
â0 / 0â is a syntactically correct mathematical expression, but you can argue if itâs semantically correct.
âSell 1000 sharesâ might be a syntactically correct instruction, but semantically, it could be you donât have 1000 shares, or thereâs a business logic limit, which says such a transaction requires extra authentication.
So thereâs a difference between syntactical validation and semantic validation, butâŠ
Injection attacks occur when an input data â a string of characters â is semantically valid in the language of the enclosing code, as code itself, and not just as data. Sometimes (but not always) this means the data contains a character or character sequence that allows the data to âescapeâ from its data context to a code context.
This is a question I ask, in various round-about ways, in a lot of job interviews, so itâs quite an important question.
The answer is really simple.
Yes. And no.
If you can validate your input, such that it is always syntactically and semantically correct, you can absolutely prevent injection exploits.
But this is really only possible for relatively simple sets of inputs, and where the processing is safe for that set of inputs.
An example â suppose Iâve got a product ordering site, and Iâm selling books.
You can order an integer number of books. Strictly speaking, positive integers, and 0 makes no sense, so start at 1. You probably want to put a maximum limit on that field, perhaps restricting people to buying no more than a hundred of that book. If theyâre buying more, theyâll want to go wholesale anyway.
So, your validation is really simple â âis the field an integer, and is the integer value between 1 and 100?â
Having said âyes, and noâ, I have to show you an example of the ânoâ, right?
OK, letâs say youâre asking for validation of names of people â whatâs your validation rules?
Letâs assume youâre expecting everyone to have âlatinisedâ their name, to make it easy. All the letters are in the range a-z, or A-Z if thereâs a capital letter.
Great, so thereâs a rule â only match â[A-Za-z]â
Unless, you know, Leonardo da Vinci. Or di Caprio. So you need spaces.
Or Daniel Day-Lewis. So thereâs also hyphens to add.
And if you have an OâReilly, an OâBrian, or a DâArtagnan, or a NâDour â yes, youâre going to add apostrophes.
Now your validation rule is letting in a far broader range of characters than you start out with, and thereâs enough there to allow for SQL injection to happen.
Input can now be syntactically correct by your validation rule, and yet semantically equivalent to data plus SQL code.
I have a working hypothesis. It goes like this.
As a neophyte in information security, you learn a trick.
That trick is validation, and itâs a great thing to share with developers.
They donât need to be clever or worry hard about the input that comes in, they simply need to validate it.
It actually feels good to reject incorrect input, because you know youâre keeping the bad guys out, and the good guys in.
Then you find an input field where validation alone isnât sufficient.
But youâve told everyone â and had other security folk agree with you â that validation is the way to solve injection attacks.
So you learn a new trick â a new way of protecting inputs.
After all, it âŠ uhh, kind of does the same thing. It stops injection attacks, so it must be validation.
This new trick is encoding, quoting, or in some way transforming the data, so the newly transformed data is safe to accept.
Every one of those apostrophes? Turn them into the sequence â'â if theyâre going into HTML, or double them if theyâre in a SQL string, or â and this is FAR better â use parameterised queries so you donât have to even know how the input string is being encoded on its way into the SQL command.
Now your input can be validated â and injection attacks are stopped.
In fact, once youâve encoded your inputs properly, your validation can be entirely open and empty! At least from the security standpoint, because youâve made the string semantically entirely meaningless to the code in which it is to be embedded as data. There are no escape characters or sequences, because they, too, have been encoded or transformed into semantically safe data.
And I happen to think itâs important to separate the two concepts of validation and encoding.
Validation is saying âyesâ or ânoâ to the question âis this string âgoodâ data?â You can validate in a number of different ways, and with good defence in depth, youâll validate at different locations, based on different knowledge about what is âgoodâ. This matches very strongly with the primary dictionary definition of âvalidationâ â itâs awesome when a technical term matches very closely with a common language term, because teaching it to others becomes easier.
Encoding doesnât say âyesâ or ânoâ, encoding simply takes whatever input itâs given, and makes it safe for the next layer to which the data will be handed.
The Atlantic today published a reminder that the Associated Press has declared in their style guide as of today that the word âInternetâ will be spelt with a lowercase âiâ rather than an uppercase âIâ.
The title is âElegy for the Capital-I Internetâ, but manages to be neither elegy nor eulogy, and misses the mark entirely, focusing as it does on the awe-inspiring size of the Internet being why the upper-case initial was important; then moving to describe how its sheer ubiquity should lead us to associating it with a lower-case i.
The "Internet", capital I, gives the information that this is the only one of its kind, anywhere, ever. There is only one Internet. A lower-case I would indicate that there are several "internets". And, sure enough, there are several lower-class networks-of-networks (which is the definition of âinternetâ as a lower-case noun).
Iâd like to inform the people who are engaging in this navel-gazing debate over big-I or small-i, that there functionally is only exactly one Internet. When their cable company came to "install the Internet", there was no question on the form to say "which internet do you want to connect to?" and people would have been rightly upset if there had been.
So, from that perspective, very much capital-I is still the right term for the Internet. There’s only one. Those other smaller internets are not comparable to âthe Internetâ.
From a technical perspective, we’re actually at the time when it’s closest to being true that there’s two internets. We’re in the midst of the long, long switch from IPv4 to IPv6. We’ve never done that before. And, while there are components of each that will talk to the other, it’s possible to describe the IPv6 and IPv4 collections of networks as two different "internets". So, maybe small-i is appropriate, but for none of the reasons this article describes.
Having said that, IPv6 engineers work really really hard to make sure that users just plain don’t notice that there’s a second internet while they’re building it, and it just feels exactly like it would if there was still only one Internet.
Again, you come back to "there is only one Internet", you don’t get to check a box that selects which of several internets you are going to connect to, it’s not like "the cloud", where there are multiple options. You are either connected to the one Internet, or you’re not connected to any internet at all.
Capital I, and bollocks to the argument from the associated press – lower-cased, because itâs not really that big or important, and neither is the atlantic. So, with their own arguments (which I believe are fallacious anyway), I donât see why they deserve an upper-case initial.
The Atlantic, on the other hand â thatâs huge and I wouldnât want to cross it under my own steam.
And the Internet, different from many other internets, deserves its capital I as a designation of its singular nature. Because itâs a proper noun.
Plenty of other reasons, Iâm sure. Maybe I should watch his training.
Every now and again, though, Iâll hack my friends as well. There are a few reasons for this, too:
Such is the way with my recent visit to troyhunt.com â Iâve been researching reflected XSS issues caused by including script in the Referrer header.
Actually, thereâs two places that hold the referrer, and itâs important to know the difference between them, because they get attacked in different ways, and attacks can be simulated in different ways.
The Referrer header (actually misspelled as âRefererâ) is an HTTP header that the browser sends as part of its request for a new web page. The Referrer header contains a URL to the old page that the browser had loaded and which triggered the browser to fetch the new page.
There are many rules as to when this Referrer header can, and canât, be sent. It canât be sent if the user typed a URL. It canât be sent if the target is HTTP, but the source was HTTPS. But there are still enough places it can be sent that the contents of the Referer header are a source of significant security concern â and why you shouldnât EVER put sensitive data in the URL or query parameters, even when sending to an HTTPS destination. Even when RESTful.
Forging the Referer when attacking a site is a simple matter of opening up Fiddler (or your other favourite scriptable proxy) and adding a new automatic rule to your CustomRules.js, something like this:
oSession.oRequest.headers["Referer"] += "&\"-prompt()-\"";
oSession.oRequest.headers["Referer"] += "?\"-prompt()-\"";
oSession.oRequest.headers["Referer"] = "http://www.example.com?\"-prompt()-\"";
Something like this code was in place when I visited other recently reported vulnerable sites, but Troyâs I hit manually. Because fun.
Forging this is harder, and Iâm not going to delve into it. I want you to know about it in case youâve used the Referer header, and referrer-vulnerable code isnât triggering. Avoids tearing your hair out.
So, lately Iâve been testing sites with a URL ending in the magic string
?"-prompt()-" – and happened to try it at Troyâs site, among others.
Iâd seen a pattern of adsafeprotected.com advertising being vulnerable to this issue. [Itâs not the only one by any means, but perhaps the most prevalent]. Itâs difficult accurately reproducing this issue, because advertising mediators will send you to different advertisers each time you visit a site.
And so it was with great surprise that I tried this on Troyâs site and got an immediate hit. Partly because I know Troy will have already tried this on his own site.
I hear that one all the time â no big deal, itâs only a reflected XSS, the most you can do with this is to abuse yourself.
Kind of, yeah. Hereâs some of my reasons why Reflected XSS is important:
So, for multiple values of âselfâ outside the attacker, you can abuse yourself with Reflected XSS.
With all security research, there comes a time when you want to make use of your findings, whether to garner yourself more publicity, or to earn a paycheck, or simply to notify the vendor and have them fix something. I prefer the latter, when itâs possible / easy.
Usually, the key is to find an email address at the vulnerable domain â but firstname.lastname@example.org wasnât working, and I couldnât find any hints of an actual web site at adsafeprotected.com for me to go look at.
Troy was able to start from the other direction â as the owner of a site showing these adverts, he contacted the advertising agent that puts ads onto his site, and get them to fix the issue.
âDeveloper Mediaâ was the name of the group, and their guy Chris quickly got onto the issue, as did Jamie from Integral Ads, the owners of adsafeprotected.com. Developer Media pulled adsafeprotected as a source of ads, and Integral Ads fixed their code.
Sites that were previously vulnerable are now not vulnerable â at least not through that exact attack.
I count that as a win.
Finally, some learning.
Your partners can bring you as much risk as your own developers and your own code. You may be able to transfer risk to them, but you canât transfer reputational risk as easily. With different notifications, Troyâs brand could have been substantially damaged, as could Developer Mediaâs and Integral Adsâ. As it is, they all responded quickly, quietly and appropriately, reducing the reputational impact.
[As for my own reputational impact â youâre reading this blog entry, so thatâs a positive.]
This issue was easy to find. So itâs probably been in use for a while by the bad guys. There are issues like this at multiple other sites, not related to adsafeprotected.
So you should test your site and see if itâs vulnerable to this, or similar, code. If you donât feel like youâll do a good job, employ a penetration tester or two.
Thereâs a thin line between âparanoiaâ and âgood security practiceâ. Troyâs blog uses good security practice, by ensuring that all adverts are inside an iframe, where they canât execute in Troyâs security context. While I could redirect his users, perhaps to a malicious or competing site, I wasnât able to read his usersâ cookies, or modify content on his blog.
There were many other hosts using adsafeprotected without being in an iframe.
Make it a policy that all externally hosted content (beyond images) is required to be inside of an iframe. This acts like a firewall between your partners and you.
If youâre a developer, you need to have a security contact, and that contact must be findable from any angle of approach. Security researchers will not spend much time looking for your contact information.
Ideally, for each domain you handle, have the address email@example.com (where you replace âexample.comâ with your domain) point to a monitored email address. This will be the FIRST thing a security researcher will try when contacting you. Finding the âContact Usâ link on your web page and filling out a form is farther down on the list of things a researcher will do. Such a researcher usually has multiple findings theyâre working on, and theyâll move on to notifying someone else rather than spend time looking for how to notify you.
This just makes it more ironic when the inevitable vulnerability is found.
As Troy notes, I did have to disable the XSS Filter in order to see this vuln happen.
That doesnât make the vuln any less important to fix â all it means is that to exploit it, I have to find customers who have also disabled the XSS Filter, or find a way to evade the filter.
There are many sites advising users how to disable the XSS Filter, for various (mostly specious) reasons, and there are new ways every day to evade the filter.
The web ad industry is at a crisis point, from my perspective.
Flash has what appear to be daily vulnerabilities, and yet itâs still seen to be the medium of choice for online advertising.
Even without vulnerabilities in Flash, its programmability lends it to being used by bad guys to distribute malicious software. There are logic-based and time-based exploits (display a âgoodâ ad when inspected by the ad hosting provider; display a bad ad, or do something malicious when displayed on customersâ computers) which attackers will use to ensure that their ad passes rigorous inspection, but still deploys bad code to end users.
Ad blockers are being run by more and more people â even institutions (one college got back 40% of their network bandwidth by employing ad blocking).
Web sites need to be funded. If youâre not paying for the content, someone is. How is that to be done except through advertising? [Maybe you have a good idea that hasnât been tried yet]
Iâll admit, I was bored when I found the bug on Troyâs site on a weekend. I decided to contact him straight away, and he responded immediately.
This led to Developer Media being contacted late on a Sunday.
This is not exactly friendly of me and Troy â but at least we didnât publish, and left it to the developers to decide whether to treat this as a âfire drillâ.
A good reason, indeed, to use responsible / coordinated disclosure, and make sure that you donât publish until teams are actively working on / have resolved the problem.
There are people using old and poorly configured browsers everywhere. Perhaps they make up .1% of your users. If you have 100,000 users, thatâs a hundred people who will be affected by issues with those browsers.
Firefox escaped because it encoded the quote characters to %22, and the server at adsafeprotected didnât decode them. Technically, adsafeprotectedâs server is not RFC compliant because of this, so Firefox isnât really protecting anyone here.
Chrome escaped because it encoded the quote characters AND has an XSS filter to block things like my attack. This is not 100% safe, and can be disabled easily by the user.
Internet Explorer up to version 11 escaped if you leave the XSS Filter turned on.
Microsoft Edge in Windows 10 escaped because it encodes the quote characters and has a robust XSS Filter that, as far as I can tell, you canât turn off.
All these XSS filters can be turned off by setting a header in network traffic.
Nobody would do that.
Until such time as one of these browsers has a significant flaw in their XSS filter.
So, donât rely on the XSS Filter to protect you â it canât be complete, and it may wind up being disabled.
OK, so thatâs a horrible stretching of a song to cover a point, but itâs kind of the way I feel right now â torn between a rock and a hard place.
Some time ago now, I let you readers know that Iâd won an iPad at the Black Hat security conference, and that Iâd be trying it out to let you know what I thought.
First, letâs consider my usage case, and what I am comparing it against.
The iPad is, to my mind, a potential killer device for a few things I like to do:
In common with many people, I have a lengthy commute â at least 40 minutes each way of which is on a bus, so I can happily watch videos. My comparison device in this use case is my Windows Phone â an HTC HD7 (Iâd link to it, but apparently itâs not being sold any more).
The iPad is bulkier, for certain, and I can hold my phone in one hand comfortably for some time. However, making up for this is the fact that the iPad is a larger display and therefore easier to see at a comfortable distance. But watching on the phone isnât bad either.
Syncing to the iPad is accomplished through Appleâs piss-poor iTunes software (of which, more later), which seems to require that my videos be already in a suitable format for the iPad. Syncing to the HD7 requires the Zune software, which is configured by default to convert video and audio in the background without any further assistance from me.
Note that â Zune converts the videos to the right format automatically when necessary, the iTunes software simply shrugs its shoulders like a Frenchman and refuses to cope.
Because of this, I can sync to the HD7 from more sources, and more easily and automatically than to the iPad.
However, the winning step that the iPad has for me comes from a combination of its viewing size, and the fact that it can play the audio from my videos to my Bluetooth headset, something that the HD7 currently does not. I have to use a Bluetooth dongle on the HD7 to hear my videos â and thatâs not right, when I already paid for a phone with Bluetooth support.
Itâs worth noting, however, that because the iPad seems to pretend to be a phone, I canât have the appropriate level of Bluetooth support, allowing incoming phone calls to pause my video and let me answer the phone.
So, a narrow win for the iPad there. But keep reading. [Add Bluetooth support for video watching, and the Windows Phone will easily surpass the iPad]
Killer app, no doubt â the size and colours make the iPad superior for reading comics. For other books, you canât really beat a Kindle, because itâs the size and shape of a book. The iPad does seem to suffer in daylight as well, not that we get much of that around Seattle â but we clearly get enough for this to be a noticeable problem for me.
The Kindle Fire is a more subtle device than the iPad in this use as well, since it doesnât take up as much space. The battery life, as well as the use of standard charging cables (read: I already have dozens of the things, as opposed to having to look for the one wonky, too short cable that came with the iPad) makes the convenience factor that much greater.
However, Iâve even read my comics on the Windows Phone. Itâs not that bad a format, because the display is so high a resolution.
Winner: Kindle Fire. Of course, I would say that. But since the Fire has no Bluetooth audio, I canât use it on the bus as comfortably for my videos.
The iPad is certainly convenient for this, with free Twitter and Facebook apps, as well as a web browser to use the online versions. The iPadâs desire to keep pushing text further and further to the right of the screen, in ever-decreasing strips of window, make it incredibly difficult to read some items.
In comparison, while the Windows Phone does have a free Twitter and Facebook app, and access to the web, it doesnât actually need any of these, because there are the âMeâ and âPeopleâ tiles, through which you can read notices from all your social media sources (Twitter, Facebook, Linked-In, MSN Messenger in my case). This gives a more natural, integrated feel to the communication, and it feels more like Iâm sharing with my friends than Iâm using this or that app.
Winner: Windows Phone, hands down. [But it would be nice to have Bluetooth keyboard support]
OK, the iPad wins hands-down on this one. Thereâs a Skype app in beta for the Windows Phone, but my HD7 has only a rear-facing camera, and the Fire of course doesnât have one.
Winner: iPad (but only because I have a 1st-gen Windows Phone)
The iPad has no Flash support â but then nor does the Windows Phone.
The iPad uses a webkit-based browser, which comes with a fresh batch of security flaws once a month (as does iTunes). The Windows Phone comes with Internet Explorer â but without the same set of flaws that get patched in your regular Windows update. I strongly believe that the Windows Phone gives me the most secure browsing of any device that I have. But it is a little hard to read.
I got the iPad for free, so I have to bear in mind that for most people, they pay $500 to have it. Itâs not that much better than the Windows Phone. I got the Windows Phone for practically free â one cent on Amazon Wireless, with a two year commitment. But then I was going to get a phone anyway, and the two year commitment is common for phones.
As with every Apple product I have ever used, it seems like they skimped a little on the âfit and finishâ of the software. This leads to small â but constant â irritations. There have been many times Iâve been tempted to throw it to the floor and stomp on it. So far, the iPad has survived largely because I know that if I want to get rid of it, there are numerous people who would happily take it from me. And then I settle down.
So, what are my irritations?
There are some areas where itâs clear that the Apple design philosophy hasnât been communicated well â even to writers of the native apps.
A clear example â how do you delete an item? In iBooks, you swipe to the right, which causes a delete button to appear. You press this button, and the item goes away. In Videos, you hold your finger on an item until a little âxâ appears. You press the âxâ, and are asked if you really want to delete the video. I guess videos are more important than books, that you have to be prompted.
I should say that this is how videos are supposed to be deleted. What actually happens is that you hold your finger on a video for a while. The âxâ fails to appear, because you wiggled your finger a little (really common on a bus). So you let your finger up, and the video opens up. So you close it down again, and hold your finger on the video again. Now the âxâ appears â albeit sometimes in a different place than you expect. So you press it. Damn, missed, because the bus must have hit a bump, so the âxâ goes away. Bring it back! Bring it back! Okay, here it is again, so I can press it finally. And then I get asked if Iâm sure. Am I sure? Am I sure? Iâve only spent the last ten minutes trying to get the damn âxâ up on screen and hit it â of course Iâm sure! And I remind myself not to throw the iPad to the floor and stomp on it.
Yes, I know about the âEditâ button, and that shortcuts one part of the process, but makes it more likely that youâll accidentally delete the wrong video, because it puts an âxâ above each one.
[A short note â the âxâ appears in one of two places â either immediately on the top left corner, or a good half-inch above that. I can see no logic in why it does this.]
In the Videos app, there are three kinds of video. âMoviesâ, âTV Showsâ, and âiTunes Uâ. The âTV Showsâ and âiTunes Uâ items all come from iTunes, so all the videos I put on my system end up in âMoviesâ, no matter what metadata I put on the file. Whereas I never metadata I didnât like, iTunes clearly never metadata. For the iTunes U and TV Shows tabs, each item is listed with details â length, a title, and a description. This is great, although it would also be nice to see which ones Iâm part-way through watching.
For the Movies tabs, however, thereâs only two things showing â a thumbnail, which is the first frame of the movie (oh, and so often, that means it is plain black), and the curtailed title of the video. So, âHave I Got News for You: Series 42, Episode 5â is displayed as âHave I Got News for You:âŠâ â as is every episode of every series of that show. Same thing for âThe Sarah Jane AdventuresâŠâ, or âWho Do You Think You AreâŠâ Yeah, the BBC could choose shorter titles, but the iPad could pay attention to the Subtitle field in the metadata for the episode information. Oh, yeah, thatâs right, metadata is to be ignored.
And thereâs no details on the video â no duration, no description, no indication of whether or not Iâve been watching this video file at all. Iâd like to say âhey, this component of my bus ride is going to take another twenty-five minutes, so Iâd like to watch something that length or shorterâ.
When watching a video, you can âscrubâ through it by dragging a little slider at the top of the screen. Except when the slider is near the middle of the top of the screen, because then youâre going to actually be pulling down the notifications window. If anyone writing this software actually used an iPad, theyâd be experiencing this frustration, and it would have been fixed by now.
To go backward in the user interface of an app, you click the button in the top left. Except that sometimes, the button in the top left takes you somewhere else, like the iTunes store.
You can delete videos all you like, bus joggling allowing, and when youâre done, your storage usage hasnât gone down at all. There is no room for more videos. This one confused me for some time, until I remembered that you never actually close apps when you switch between them. The storage is released, not when you delete the movie, but when you close the app.
That would make sense, if you could actually undelete the movie while the videos app runs, but no. That doesnât happen.
I could carry on, but I just get angrier and angrier. The difference between editing the list of apps you can run, versus editing the list of apps currently running, for instance. One is dismissed by a tap, the other requires that you hit the home button, and I canât remember which one.
So, the first complaint I have about iTunes is the one I have made from the beginning â it includes way too much, and it screws up my system way too badly. What do you get when you install iTunes?
Well, first you get a file called âiTunes64Setup.exeâ. This installs iTunes into âC:\Program Files (x86)â â uh, yeah, that means the â64 bitâ version of iTunes is actually all 32-bit. Then it tells you:
What does iTunes have to do with Outlook? Thatâs crazy.
And then, what does it install? Only another four applications.
When syncing videos to the iPad with the Windows version of iTunes, they are synced with at least one default setting not correctly set.
Thatâd be fine if it was an unimportant setting, but no. The setting is âresume from where I left offâ. That means that every time I switch videos, or close the video application (see previous discussion of why I need to do this to recover storage), the video I want to watch starts again from scratch.
There is a simple fix to this â for every video I upload to the iPad, I have to go into iTunes, select the video, right-click it, select âGet Infoâ, open the âOptionsâ tab, uncheck the box that says âRemember Playback Positionâ (or if I selected multiple videos, set to âNoâ the drop-down arrow labeled âRemember Positionâ), hit âOKâ (there is no âApplyâ), wait for this action to sync to the iPad, then right-click the video(s) again, select âGet Infoâ, open the âOptionsâ tab, and then recheck the box (or set the drop-down box to âYesâ), hit âOKâ and sync once again.
For weeks Iâve been complaining that every USB device on my system has been unreliable â I have to plug and unplug simple USB flash drives a half dozen times before they finally get recognised in Explorer.
Then it finally dawned on me.
One device has been steadfastly reliable, always becoming active and ready to use within seconds of plugging it in. Yes, itâs the iPad.
Acting on this hunch, I removed iTunes, Apple Mobile Device Support, Apple Application Support, Apple Software Update, Bonjour, and even QuickTime (not sure how that got on there). Suddenly all my USB devices connect first time, every time. With the exception of the iPad, of course, which sulks if it doesnât have iTunes (though the same charge can be leveled against my Windows Phone requiring Zune â although that hasnât yet caused all my other USB devices to become unavailable).
Adding iTunes back in to the mix, strangely, has yet to reproduce the same unreliable behaviour. I strongly distrust software acting randomly.
If I could just drag my videos into a folder using Explorer without installing iTunes (since iTunes doesnât actually properly do any of the other things that an intermediate program should do, such as converting video formats, extracting and using metadata, or setting the âresume from where you left offâ option), Iâd be happy without iTunes on my PC at all.
There are other reasons not to like the iPad â itâs too trendy, for one; and itâs not really a $500 product. There are, as I point out above, too many areas where itâs clear that the developers have not finished the job.
I use the iPad simply because itâs free, and has a large display.
Iâd far rather use a tablet that works in a more predictable and controlled manner, where the applications on the device and to sync the device have the flavour of being finished.
But I didnât get one of those for free.
I got an iPad.
And Iâm grateful.
Even if, once in a while, I want to dash it to the floor and stomp it into pieces.
As a big fan of The IT Crowd, Iâm a happy reader of the author, Graham Linehan,âs blog, âWhy Thatâs Delightful!â. It certainly helps to explain to American viewers tonightâs episode. And yes, I did try and persuade Microsoft to give Moss an MVP award. Maybe I should have suggested Roy instead, since he mostly does windows.
However, the other day, looking for the blog on a machine on which my bookmarks donât reside, I was rather shocked to see âWhy, thatâs delightful!â, when I typed in what I thought was Mr Linehanâs blog address. Totally not the site I was looking for. I was completely unprepared. I hope Graham Linehan knows he has a competitor for the same search meme.
Graham Linehan is the author (along with Arthur Mathews) of that other staple of British (or Irish?) humour, âFather Tedâ (memorable, also, for being produced by the late Geoffrey Perkins, of Radio Active and Hitch-Hikerâs fame). If youâve not seen them yet, go watch them â rent them on Netflix, watch The IT Crowd on IFC, and Father Ted on wherever you can find it in this country, whatever you have to do to make this a part of your comedy intake.
But beware of imitations, when it comes to your favourite blogs.
[And donât try and use Windows Media Center to sync The IT Crowd from IFC to your Zune, because IFC marks all their programming for DRM, with the aim that it canât be copied. Boo, hiss, IFC.]
OK, admittedly, the name isnât really that long, but even though Iâm spending this week on Microsoftâs home turf, I canât say that Iâve met two people who can trip off their tongue the proper name of the new version of Windows Mobile:
Seriously? Every single word there is a generic term, and will have large numbers of inappropriate matches when you go searching for them.
Right now, while the hype is high, a search for those terms brings back mostly matches for the Windows Phone, but in a few weeks, itâs anyoneâs guess what youâll find.
Search for iPhone, or iPad, by comparison, and although youâll find a pile of parody sites, at least those parodies are parodies of the products in question. Every search result is relevant to the iPhone.
Why canât Microsoft come up with a simple, single, searchable brand name for their products? We see this all the time, with Bookshelf, Access, Excel, Word, Windows, Bob, etc.
What would be so difficult about picking up on the idea that this is, essentially, a Zune phone? Call it a âZhoneâ, give it an interesting pronunciation (think âZh is to Sh as Z is to Sâ â like the french âJâ sound), and youâve made for immediate cool, cemented the link with the Zune (hmmâŠ could depend on how people like the Zune â personally, Iâm so impressed by the Zune HD that I wish I could justify one to the wife), and made the product immediately searchable and identifiable. (Or if that nameâs taken, Zuphone, Phozune, Phune, etc)
But no, seriously dorky names are en vogue at Microsoft, always have been and probably always will be. Of course, why should you listen to me, a security guy who dabbles in development and has no marketing ability, when instead youâve got all those highly paid marketers who tell you that âWindows Phone Seven Series from Kyocera [or Dell, Samsung, etc]â will sell?
Notice, however, that the only thing I have to diss this phone on is its name. Having briefly played with a Zune HD, if it follows the promise of being the same kind of device with phone capabilities added on, this will be a trouser-changing experience. [Iâm told the expression to use is âgame-changing experienceâ, but the Zune HD combined with phone would simply be that good.]
Every so often, someone on one of the security mailing lists to which I subscribe will post a frothing rant from someone who has discovered their own personal âmagic bulletâ which solves all their security woes. This time, itâs a guy who was convinced that Microsoftâs recent out-of-band Internet Explorer patch MS08-078 is actually a conspiracy by Microsoft (and the government, of course) to invade your computer.
Okay, now aside from the point that, technically, Microsoft âpwnsâ your computer if you run their OS, and they donât need to install patches to continue to do so; aside from the Ballmer defence (âIf we were actually evil, donât you think weâd be doing a better job at it?â; aside from that and many other considerations, what evidence did this guy have that the patch is a conspiracy?
Gibson Researchâs ShieldsUp site reported that his system was âFully Stealthedâ.
[For those of you non-geeks reading the blog, that means that his firewall was closed up so tight that his system was not responding to any attempt to connect.]
Many other people have made, or will make, the obvious note that the patch is for a browser client bug, whereas the firewall ignoring all incoming requests only protects against server-related bugs, so Iâll leave it to those people to discuss that.
My concern is that Gibson is still pitching the idea that âFully Stealthedâ is a good idea.
TCP/IP, the network protocol on which much of the Internet is currently based, is designed around certain error reporting mechanisms that keep the system able to route around trouble.
One of these mechanisms is the TCP RST (reset) flag. The reset flag a great tool, as it says in a single bit âI received this packet, but I can completely guarantee that itâs not meant for meâ. Another similar mechanism is the âICMP Host Unreachableâ response, which says âYou appear to be trying to send a packet through me to another machine, but although Iâm not a bad place to send that packet through, I canât seem to reach that machine just nowâ.
When youâre âFully Stealthedâ (or completely non-responsive, if you prefer), itâs like youâre a black hole, and neither the TCP RST flag nor the ICMP Host Unreachable errors are returned from your system.
Thatâs great, right, because it means that your attackers canât tell youâre there? Itâs like youâre a black hole, no one can see you, right?
That sounds good in theory, except that even black holes can be seen, because they donât act like the empty space that might otherwise be there.
Similarly, a âFully Stealthedâ machine gives away its presence by occupying an IP address that will not respond at all when you try to contact it. Very much like a black hole, itâs clear that itâs there, because if there was nothing there, the upstream routers would be passing back ICMP Unreachable messages.
OK, so maybe they know that Iâve got a machine here, at this IP address, but itâs safe, because itâs Fully Stealthed â Stealth just sounds so cool, especially since itâs a verbed noun! Itâs alright that I look like a hole to the rest of the Internet, because nobody can do anything to me!
The attacker can pretend to be you, because thereâs nothing youâre going to say about it.
Let me qualify that â of course, the attacker canât use your password if he doesnât know it, nor can he use your private keys. But he can use another thing that some sites use as part of the proof that you are who you claim to be.
He can use your IP address.
A few things prevent this normally:
So, number 1 and 3 arenât always a barrier â number 2 is definitely a barrier if the attacker needs to maintain the connection for more than a few fractions of a second, as the RST from the spoofed IP address will cause the server to drop the connection and ignore what the attacker is trying to do.
So, this is a valuable protection that a âfully-stealthedâ firewall is going to throw away for you â the ability to spot when someone is spoofing your IP address, and to respond back to say âuh, that isnât me â stop talking to himâ.
A firewall should behave as if the machine is present but disinterested, and should actively refuse misguided connection attempts and responses, not merely ignore them. Thereâs a big difference between the two behaviours. Donât use the sensationalist terminology of a poor substitute for an expert as a replacement for understanding of your risks and threats.
So, whatâs the scoop?
How sneaky of Microsoft, to fool us into thinking that âWindows 7â was just the code name, when in fact it was also the release name!
Me, I think itâs because there was just no good way to include hints of the code-name in the final release name, like Microsoft have done in the past.
Think about it â âCairoâ spawned âWindows XPâ â the Greek letters chi and rho are written: âÎ§ÎĄâ (lower-case is âÏÏâ) (if you donât have the Greek font, that looks almost indistinguishable from âXPâ). Iâll always think of it as âWindows No Parkingâ.
Windows 6 became Windows Vista â get it, six is âviâ in roman numerals?
So, Windows 7 should have been Windows Viista. Or maybe the name could have made obscure art-house movie references, and been called âA Vee and two onesâ. Ah, but anything with VII in it might be perilously close to Intelâs VIIV product (currently residing in our âwhere are they nowâ file).
Perhaps this should make us think back to the last time a Windows client operating system was referred to by the word âWindowsâ followed by its version number â yes, âWindows 7â is designed to hearken back to âWindows 3.11â. Ah, yes, those were the days, indeed.
I canât wait to see whatâs coming in Windows 7, particularly things like Multi-touch support (though I have yet to purchase a system that has even single touch support).
Seven also marks Windowsâ transition from an acid into a base.
Man, if I were dumb enough to claim anything as "unbreakable", I'd probably want to claim that you have a little bit more than two months of unbreakability (and yes, that is an unretouched graphic from Oracle's site).
Cousin Jeff notes that Mary Ann Davidson, head honcho of Security at Oracle, previously remarked on the previous "Unbreakable" campaign "What idiot dreamed this up?"